Description: You can configure Access Server to use Remote Authentication Dial-in User Service (RADIUS) for user authentication and automatically assign Access Server users to groups based on their groups on the RADIUS server.
First, you need to set it up by downloading a Python script that runs post-authentication, loading it into your Access Server, and setting reply attributes for your use cases.
Follow the steps described in detail on OpenVPN Access Server post-auth RADIUS group mapping script.
In this article, we provide some examples of how to check that your script is working properly.
Note: Ensure you've already followed the steps in the page linked above to configure the script and the RADIUS authentication method before you use the tests below.
Test adding user properties with the post-auth script
You can use the post-auth script to add user properties automatically. Use the steps below to test whether adding user properties via the callback-number attribute works properly.
Test admin and auto-login privileges for one RADIUS user:
When you indicate that a user or group is an admin with auto-login profiles allowed, you set the Callback-Number to 11FFF:
- Set it on your RADIUS server (our example user is 'brandon'):
brandon Cleartext-Password := "brandon"
Callback-Number := "11FFF" - On your Access Server, test with the authcli tool (where USERNAME is your RADIUS user and its PASSWORD):
sudo su
cd /usr/local/openvpn_as/scripts/
./authcli --user USERNAME --pass PASSWORD
Here's an example output:
sudo su
root@openvpn-access-server-Brandon:~# cd /usr/local/openvpn_as/scripts
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./authcli --user brandon --pass brandon
API METHOD: authenticate
AUTH_RETURN
status : SUCCEED
user : brandon
reason : RADIUS access accepted
proplist : {'prop_autogenerate': 'true', 'prop_force_lzo': 'false', 'prop_autologin': 'true', 'prop_deny': 'false', 'prop_superuser': 'true'}
session_id : AS_vYZPDwLBCHqsJlqJtwCQvg==
expire : 1667072569
This shows that RADIUS authentication worked for "brandon" user:
status : SUCCEED
reason : RADIUS access accepted
This shows that admin privileges "prop_superuser" and auto-login privileges were added to "brandon" user:
'prop_superuser': 'true'
'prop_autologin': 'true'
Test admin privileges and LZO compression (True) for one RADIUS user:
When you indicate that the user or group is an admin with LZO compression enabled, you set the Callback-Number to 1F1FF:
- Set it on your RADIUS server (our example user is 'brandon'):
brandon Cleartext-Password := "brandon"
Callback-Number := "1F1FF" - On your Access Server, test with the authcli tool (where USERNAME is your RADIUS user and its PASSWORD):
sudo su
cd /usr/local/openvpn_as/scripts/
./authcli --user USERNAME --pass PASSWORD
Here's an example output:
sudo su
root@openvpn-access-server-Brandon:~# cd /usr/local/openvpn_as/scripts
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./authcli --user brandon --pass brandon
API METHOD: authenticate
AUTH_RETURN
status : SUCCEED
user : brandon
reason : RADIUS access accepted
proplist : {'prop_autogenerate': 'true', 'prop_force_lzo': 'false', 'prop_autologin': 'true', 'prop_deny': 'false', 'prop_superuser': 'true', 'prop_lzo': 'true'}
session_id : AS_RnvIk0hO/+OIBTWfSGInyQ==
expire : 1667073440
This shows that the RADIUS authentication worked for "brandon" user:
status : SUCCEED
reason : RADIUS access accepted
This shows that admin privileges "prop_superuser" and LZO compression were added to "brandon" user:
'prop_superuser': 'true'
'prop_lzo': 'true'
You can also verify this via Access Server logs with this command:
grep "RADIUS-Reply" /var/log/openvpnas.log
Or specify a particular RADIUS user or group with these commands:
egrep 'RADIUS-Reply|Callback-Number' /var/log/openvpnas.log
egrep 'RADIUS-Reply|prop_superuser' /var/log/openvpnas.log
Here's an example of the output:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# egrep 'RADIUS-Reply|Callback-Number' /var/log/openvpnas.log
2022-10-29T14:34:49-0500 [stdout#info] ***** RADIUS-Reply: Callback-Number received, evaluating reply for OpenVPN Access Server access flags...
2022-10-29T14:34:49-0500 [stdout#info] *** RADIUS-Reply: Overrride found for prop_superuser, setting to true...
2022-10-29T14:34:49-0500 [stdout#info] *** RADIUS-Reply: Overrride found for prop_autologin, setting to true...
2022-10-29T14:48:52-0500 [stdout#info] ***** RADIUS-Reply: Callback-Number received, evaluating reply for OpenVPN Access Server access flags...
2022-10-29T14:48:52-0500 [stdout#info] *** RADIUS-Reply: Overrride found for prop_superuser, setting to true...
2022-10-29T14:48:52-0500 [stdout#info] *** RADIUS-Reply: Overrride found for prop_lzo, setting to true...
Test group mapping
You can use the post-auth script to automatically assign users to groups based on their RADIUS group assignments. Use the steps below to test whether the group mapping via the framed-pool attribute works properly.
Test group mapping for a group named security
Suppose you have a RADIUS group, Security, and an Access Server group, security. The script adds RADIUS users in the Security group to the Access Server security group with the Framed-Pool attribute:
- Set it on your RADIUS server (our example user is 'brandon'):
brandon Cleartext-Password := "brandon"
Framed-Pool := "security" - On your Access Server, test with the authcli tool (where USERNAME is your RADIUS user and its PASSWORD):
sudo su
cd /usr/local/openvpn_as/scripts/
./authcli --user USERNAME --pass PASSWORD
Here's an example output:
sudo su
root@openvpn-access-server-Brandon:~# cd /usr/local/openvpn_as/scripts
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./authcli --user brandon --pass brandon
API METHOD: authenticate
AUTH_RETURN
status : SUCCEED
user : brandon
reason : RADIUS access accepted
proplist : {'prop_autogenerate': 'true', 'prop_force_lzo': 'false', 'prop_autologin': 'true', 'prop_deny': 'false', 'conn_group': 'security'}
session_id : AS_QYE3+DiegsVVwDYf3dW/YA==
expire : 1667073886
This shows that RADIUS authentication worked for "brandon" user:
status : SUCCEED
reason : RADIUS access accepted
This shows the "brandon" user was added to the "security" group:
'conn_group': 'security'
You can check the user oroperties with this command:
./sacli --pfilt <USER_OR_GROUP> UserPropGet
Here's an example output:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./sacli --pfilt brandon UserPropGet
{
"brandon": {
"conn_group": "security",
"type": "user_connect"
}
You can also verify this via Access Server logs with this command:
grep "RADIUS-Reply" /var/log/openvpnas.log
Or specify a particular RADIUS user or group with these commands:
egrep 'RADIUS-Reply|security' /var/log/openvpnas.log
egrep 'RADIUS-Reply|Framed-Pool' /var/log/openvpnas.log
Here's an example output:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# egrep 'RADIUS-Reply|security' /var/log/openvpnas.log
2022-10-29T14:56:46-0500 [stdout#info] ***** RADIUS-Reply: Framed-Pool received, setting OpenVPN Access Server group to: security
Test with the radtest tool
Another troubleshooting step you can perform is verifying that the OpenVPN Access Server server receives the proper RADIUS attribute reply with the radtest tool.
For Ubuntu/Debian:
apt update && apt -y install
freeradius-utils
For CentOS/RHEL:
yum update -y
sudo yum -y install freeradius freeradius-utils freeradius-mysql freeradius-perl
Then, run the "radtest" like this:
radtest brandon admin123 10.10.10.10 0 radius123
Where:
brandon = RADIUS user
admin123 = RADIUS user password
10.10.10.10 = RADIUS server IP address
radius123 = RADIUS shared secret password
Here's an example output:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# radtest brandon admin123 10.10.10.10 0 radius123
Sent Access-Request Id 56 from 0.0.0.0:50631 to 10.136.201.182:1812 length 75
User-Name = "brandon"
User-Password = "admin123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "radius123"
Received Access-Accept Id 56 from 10.10.10.10:1812 to 0.0.0.0:0 length 28
Framed-Pool = "security"
At the bottom of the example output, it shows the Framed-Pool attribute. This means that the RADIUS Server is sending the proper reply and attribute.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.